IP protection on the factory floor

“The beatings will continue until the morale improves!” is a favourite saying of mine. Behind the juxtapositional humour is an important lesson, which anyone versed in organisational behaviour will find axiomatic. This is that employees become engaged and embrace company goals, procedures and programmes when they are informed, understand the rationale and are then consulted for ideas which support such efforts, rather than when such approaches are implemented by way of fiat (ie, through the power of the superior-subordinate relationship).

As an in-house IP attorney, I am responsible not only for the duties related to traditional notions of IP law, but also for institutionalising protective measures for my company’s intellectual property. More specifically, I am responsible for introducing protection for the intellectual property embodied in trade secrets and confidential information beyond what is afforded by law. For the most part, when it comes to exercising your company’s lawful rights with regard to trade secret protection, it is probably too late – a matter of closing the barn door after the horse has bolted. The time to act is well before anyone has the opportunity to leave that barn door ajar – which is easier said than done. However, if handled correctly, an organisation’s loss of sensitive information can be significantly mitigated.

Policy is not enough

In exploring the steps an entity should undertake to protect its intellectual property, most begin, correctly, by establishing an IP protection policy. This job is typically assigned to middle or executive management and adopted by the proper sanctioning intra-company governing body – which can be anything from an IP committee to the board of directors. In my opinion, the greater the clout of the sanctioning internal committee or board, the greater the resonance the policy will have throughout the organisation. However, establishing a policy – even if this is done with unanimous support from the board of directors by written resolution and then announced with all of the fanfare of a press release – while laudable, acts merely as a platitude. It is crucial that the IP protection policy be embraced by all employees at every level of the organisation – especially where the intellectual property resides or is operative.

Things of value are almost always protected. Cash is safeguarded in banks and other financial institutions where it is deemed to be safe and secure. But where are a company’s trade secrets kept? Certainly not in any bank vault – while such protection might keep them safe, it would prevent the intellectual property from being used for the benefit of the organisation. It would be tantamount to making sure our roads were perfectly safe by keeping every vehicle parked. Rather, trade secrets can be found anywhere in the organisation that they are being employed, typically in operations. For most organisations this means on the factory floor; a great place to begin your IP trade secret protection engagement.

In my practice, the procedure is straightforward. I engage everyone at every level in the manufacturing organisation. When I visit a plant, I set up as many meetings as necessary to bring the message to everyone on site – the plant manager, her or his direct reports, foremen, supervisors and operators. This list is augmented by any other ancillary functions which may be located (or co-located) at the facility, such as logistics, cost accounting, inside sales, sourcing, human resources and maintenance. I begin by explaining what intellectual property is (with the emphasis on ‘property’), that it has value, anything with value should be protected with measures proportionate to the value and that everyone has a role and responsibility in protecting intellectual property.

Figure 1A. The labels you give your classification levels are arbitrary. Moreover, the descriptions here are general at best; each organisation should collaborate among its functional principals and take great care in defining what each classification level contains

Figure 1B. The more valuable or sensitive the information, the greater the protection it should be given

Instil a culture of IP protection

In countries where intellectual property is a developing concept, the first steps of explaining intellectual property can be the most difficult. It can be an extremely challenging proposition for employees to hear the principles of intellectual property for the first time and for you to explain that the company owns what is in their heads (ie, trade secrets, confidential and other sensitive information) – even information, ideas and inventions which they themselves generated related to and in the course of their employment.

These meetings not only help employees to engage with the notion of protecting company trade secrets (and other confidential information), but also create an awareness about why certain practices might be modified or introduced. Measures such as camera policies (which today would necessarily include smartphones), access restrictions for site areas which were previously open to anyone, limiting sensitive information sharing or installing greater security (ie, CCTV coverage), become much easier to understand and to accept when they are linked back to the IP training.

When conducting such training, I start by defining ‘confidential information’. I struggled for a while for a definition which would make sense and fit in well with the subject matter before finally settling on “any non-public company information that if disclosed to a competitor, such competitor would find it useful”. Given this, I speak to everyone about the three strategies we have in place to keep our confidential information safe and direct people towards four different areas through which loss is likely to occur.

All visitors entering the manufacturing site must surrender their mobile phones, which are retained by security personnel under lock and key during the visit

Identifying non-employees on site is helpful so that employees can quickly tell if visitors are in unauthorised areas or undertaking activities contrary to IP protection policies

First is the classification of confidential information. Confidential information can be divided into a manageable number of progressive classifications (most organisations use three or four), from the least sensitive to the most sensitive. The labelling itself is arbitrary – what matters is carefully defining each classification and then assigning the right amount of protection for each level. The more valuable the information, the greater the protection it requires.

The second strategy to be employed is to limit disclosing information throughout the organisation by adopting a ‘need to know’ approach. Again, the more sensitive the confidential information, the greater the value and the greater the value, the more restrictive the access to it by individuals in the organisation. This is an area where organisations will need to pay attention to change management. Employees who once had unfettered access to certain information, may – after the implementation of an IP protection programme – lose such access and equate this with a loss of trust. Again, talking, discussing and engaging employees at every level attenuates any such misconceptions and helps to foster adoption.

New security lockers installed for employees for safe storage following the implementation of a no-phone policy on site premises

In areas where barriers cannot be put in place or are wholly impractical, access to sensitive areas can at the very least be monitored using the relatively inexpensive medium of CCTV

Finally, there is layered security. For a physical location, this means limiting access to the site, to certain buildings or areas within the site and to rooms, filing cabinets, closets and desks within the building. Areas which cannot be kept under lock and key should be monitored with security personnel or CCTV or its equivalent. For electronic information, the layers of security should start where the hardware is located and be continued through the use of encryption and passwords at various levels depending on the classification of the confidential information.

As mentioned earlier, these strategies are employed across four fronts which – if left unguarded – would be conduits for information loss.

Site security

Physical security should be used to protect the locations where your organisation holds confidential information or practises the trade secrets within your IP portfolio. Using the strategies outlined above, each area on site should be graded according to what classification of confidential information resides there. An area containing information with multiple classifications should be marked no less than the most sensitive classified information present. There should be layers of security, starting with physical barriers to the location (ie, fences and walls), while entrances should be minimised and secured; or, if this is not possible, monitored with either security personnel or video or audio surveillance equipment. The same should be true for buildings and areas within buildings which house sensitive information. Only individuals who need to do their job should be authorised to enter such areas. Sharing this policy with all of your employees will help them to assist with the IP protection effort – employees who then observe unauthorised co-workers, visitors or other third parties in sensitive areas will know to report such activity. It would be no different if one employee saw another unauthorised employee in the HR manager’s office rifling through the personnel files of others – it is an out-of-the-ordinary situation which should be reported and investigated further.

IP protection does not have to be overly sophisticated or use cutting-edge technology. Sometimes a simple curtain to keep your trade secret from casual passers-by is all that is necessary

Third-party protection

Protection against information loss involving third parties is another area of concern. If you must share sensitive information with third parties, mark it with the relevant classification level and then assign the proper protections. Do you share by providing a copy or do you send it out through a secure file-sharing website location with digital rights management protection features? Too many times I have witnessed engineers, managers, sourcing personnel share too much with third parties without adequate protection. If a sales person visits the plant to talk about pricing, delivery, quality specifications or quantities, why does he or she need to go out onto the factory floor and witness the operations? It is a question which should be asked and assessed, with access being provided on a need-to-know basis only.

Labelling sensitive areas at least takes away the defence “I didn’t know” from those found in confidential areas without authorisation

Electronic information protection

Sensitive areas of the site should be labelled as such and the appropriate security employed

One plant manager decided that marking sensitive IP areas with red and white stripes would be preferable to having a sign

Confidential information or trade secrets embodied electronically is another area of great concern. Not only because this is the principal format in which all information is stored (including sensitive information), but also because it allows a tremendous amount of information to be moved with relative ease. I have experienced an exiting engineer misappropriating an entire set of drawings to build a manufacturing plant from scratch in a single thumb drive. A robust digital loss prevention programme incorporates the following three strategic approaches to preventing information loss:

• blocking transmission to certain endpoints, such as drop boxes, email addresses or portable storage devices;
• using keyword recognition for auto-classification; and
• applying digital rights management tools to limit file uses (eg, disallowing editing, screen capture, printing and automatically deleting the files after a certain date).

Employee protection

Walt Kelly’s character Pogo’s most famous quote – “We have met the enemy and he is us” – applies here. Studies indicate that between 40% and 60% (maybe even higher) of all IP loss suffered by companies is perpetrated by its own employees – typically, employees leaving a company to work for a competitor. Moreover, in countries where intellectual property is still a developing concept, many exiting employees do not look on this as doing anything wrong. It is only duplicate information; there is no deprivation.

This is why engaging first-level employees front and centre is so crucial. It may not be easy to get them to understand, but it is vital to impress on them that this is not only wrong, but also a criminal act – something for which they can be prosecuted, suffer heavy fines or jail sentences. If this accomplishes only one thing it does at least remove the defence “I didn’t know”. I find many supervisors or managers shy away from this topic as they believe it is either an uncomfortable subject or too provocative. However, in my experience, it is when addressing this topic that employees become most engaged. I measure this by the number of questions they ask, an indication of how curious they are. My most helpful suggestion for promoting understanding is to focus on the property portion of intellectual property. Everybody understands that taking the property of another is stealing.

Any enterprise that truly values its intellectual property will protect it as best practices dictate. Companies which do no more than espouse the importance of protection will quickly discover that they are the ones closing doors to empty barns and incurring high costs to pursue those who have misappropriated their intellectual property. Companies which understand that the best IP protection is to prevent loss by engaging and educating the workforce – especially those in possession of valuable trade secrets and other confidential information – will preserve the value of their intellectual property.